Summary

Non-Goals

It is not a goal to support version 1.3 of the Datagram Transport Layer Security (DTLS) Protocol. It is also not a goal to support every feature of TLS 1.3; see the Description section for more details on what will be implemented.

Motivation

TLS 1.3 is a major overhaul of the TLS protocol and provides significant security and performance improvements over previous versions. Several early implementations from other vendors are available already. We need to support TLS 1.3 to remain competitive and keep pace with the latest standard.

Description

TLS 1.3 is a new TLS version which supersedes and obsoletes previous versions of TLS including version 1.2 (RFC 5246). It also obsoletes or changes other TLS features such as the OCSP stapling extensions (RFC 6066, RFC 6961), and the session hash and extended master secret extension (RFC 7627).

TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are several compatibility risks when using this mode:

TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there may be compatibility issues when upgrading to TLS 1.3.

The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application may use non-supported signature algorithms.

The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.

The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites which are no longer supported, it may not be able to use TLS 1.3 without modifying the application code.

To minimize compatibility risk, this TLS 1.3 implementation will implement and enable the backward-compatibility mode by default. An application can turn off the backward-compatibility mode, and turn TLS 1.3 on or off if desired.

Testing

Tests will be developed or enhanced to validate the following general requirements:

Verify that there is no compatibility impact for (D)TLS 1.2 and prior versions.

Verify that the implementation does not break backward compatibility in unexpected ways.

Verify that the implementation does not introduce any unexpected interoperability issues.

Verify that there is no significant performance impact.

Verify that the implementation, in both client and server modes, interoperate with other TLS 1.3 implementation.

Risks and Assumptions

A third party TLS 1.3 implementation that supports the RFC is required for interoperability testing.

Dependencies

TLS 1.3 requires support for the RSASSA-PSS signature algorithms (8146293).